Provisioning Keystone, apiserver and neutron with SSL
Ignatious Johnson edited this page Aug 31, 2016
·
23 revisions
Provisioning keystone, api-server and neutron with SSL through contrail-fabric-utils. This is achieved by configuring keystone with native SSL and api-server/neutron through SSL termination using Haproxy.
-
env.keystone section in testbed.py is populated with auth_protocol as 'https' to enable keystone SSL
env.keystone = { 'auth_protocol' : 'https' }
-
env.cfgm section ins testbed.py is populated with auth_protocol as 'https' to enable api-server/neutron SSL
env.cfgm = { 'auth_protocol' : 'https' }
With the above knobs are set in testbed.py.
fab setup_all will,
- Create certificates for keystone in openstack node
- Copy over certificates to other openstack nodes in case of HA setup.
- Configures and brings up keystone service with SSL
- Create certificates for api-server/neutron in config|cfgm node
- Copy over certificates to other config|cfgm nodes in case of HA setup.
- Configures SSL termination for api-server/neutron using Haproxy
- Brings up other openstack and contrail services to make them interact with keystone/api-server/neutron over https protocol.
-
Nova boot fails due to permission issue https://bugs.launchpad.net/juniperopenstack/+bug/1613178
Workaround:
fab -R cfgm -- "usermod -a -G contrail neutron" fab -R cfgm -- "service neutron-server restart"
-
Heat fails with SSL enabled contrail cluster https://bugs.launchpad.net/juniperopenstack/+bug/1612826
Workaround:
fab -R openstack -- "openstack-config --set /etc/heat/heat.conf keystone_authtoken insecure True" fab -R openstack -- "openstack-config --set /etc/heat/heat.conf clients_keystone insecure True" fab -R openstack -- "openstack-config --set /etc/heat/heat.conf clients_neutron insecure True" fab -R openstack -- "openstack-config --set /etc/heat/heat.conf clients_contrail use_ssl True" followed by, Execute following only if config and openstack are same nodes: fab -R openstack -- "usermod -a -G contrail heat" Execute following only if config and openstack are different nodes: fab -R openstack -- "mkdir -p /etc/contrail/ssl/certs" fab -R openstack tasks.helpers.copy:/etc/contrail/vnc_api_lib.ini,/etc/contrail/ fab -R openstack tasks.helpers.copy:/etc/contrail/ssl/certs,/etc/contrail/ssl fab -R openstack -- "chown -R heat:heat /etc/contrail" Execute following to restart services, fab -R openstack -- "service heat-api restart" fab -R openstack -- "service heat-engine restart" fab -R openstack -- "service heat-api-cfn restart"